Last post i explained about installing phishing frenzy in kali linux, for today i want to go over some of the features that Phishing Frenzy has to offer, including campaign creation, customization, and execution.
Creating New Phishing Campaigns
After Login , go to the Campaign menu and click create new campaign.
Enter the name with description of your new Campaign, then mark active and enter the target email ids to phishing.
In the Template section select the template available for you, or you can create your own template. but for this post i going to use default template Intel password checker
If you don’t have default templates, you can do so by simply running the following rake task.
In SMTP section set the details of your smtp server, here i use my Gmail account.
In email setting section set the subject and from address of your phishing email and set the Phishing URL to redirecting.
In phishing option some advance options are available to use like intergrating with Beef to do XSS, Scheduling and iptables Restrictions.
Once you’ve setup a phishing scenario that works with Phishing Frenzy you can reuse them for all future campaigns. Phishing Frenzy also offers the ability to backup and restore templates.
Then test and lanch your campaign, it will send mails with redirecting link to your targets.
I typically make the email look like it came from someone within the company who is an authoritative figure. The email states that everyone should test their passwords to ensure they are in compliance with the company policies.
Open Report menu it will show that which user clicks on the phishing URL, they are directed to our fake Intel Password Checker website. The idea is that any passwords entered into the box will be harvested by us. You may notice that we are not asking for the users name or username in this scenario, and that is because we already have it.
Using a little PHP magic we can use the $_GET function to pull the base64 encoded email address from id parameter within the url. This way we know the email address and the password entered into the website.